[TOOL] Fwknop - Firewall Knock Operator
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 19 Sep 2004 14:07:17 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Fwknop - Firewall Knock Operator
fwknop stands for "Firewall Knock Operator" and is a piece of software
that was released at the
<http://www.defcon.org/html/defcon-12/dc-12-index.html> DEFCON 12
conference in July, 2004 in Las Vegas.
fwknop implements network access controls (via iptables) based on a
flexible port knocking mini-language, but with a twist; it combines port
knocking and passive operating system fingerprinting to make it possible
to do things like only allow, say, Linux-2.4/2.6 systems to connect to
your SSH daemon.
fwknop supports shared, multi-protocol port knock sequences along with
both relative and absolute timeouts, and coded port knock sequences
encrypted with the Rijndael block cipher.
fwknop implements a flexible port knocking scheme based around log
messages generated by the iptables firewall in the Linux kernel. fwknop
supports both shared and encrypted port knock sequences, passive OS
fingerprinting, multi-protocol knock sequences (tcp, udp, and icmp),
firewall access across multiple ports and protocols, firewall access
timeouts, relative timeouts between knock packets, and more. There are two
primary modes of execution; server mode, and client mode. When run in
server mode, fwknop becomes a daemon and watches iptables log messages as
they are written via syslog to a named pipe /var/lib/fwknop/fwknopfifo. If
a valid knock sequence is seen, then fwknop will modify the iptables
ruleset to grant the appropriate access to the originating IP address.
Knock sequence parameters are defined in the file /etc/fwknop/access.conf.
When run in client mode, fwknop generates either an encrypted knock
sequence, or a shared knock sequence. Shared knock sequences are defined
in the file ~/.fwknoprc.
To obtain the latest version of fwknop visit:
The project's CVS repository is available at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.